Security News

Once authenticated, a session cookie maintains the session state and the user's browsing session stays authenticated. Figure A. Each cookie stored in the browser's database contains a list of parameters and values, including in some cases a unique token provided by the web service once authentication is validated.

We'll look at why companies are concerned about facial recognition as well as some alternatives that are both secure and friendly towards employees' concerns. The most common alternative to facial recognition would be two-factor authentication using an app such as Authy or Google Authenticator.

Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication and gain access to corporate resources, according to Sophos. "Over the past year, we've seen attackers increasingly turn to cookie theft to work around the growing adoption of MFA. Attackers are turning to new and improved versions of information stealing malware like Raccoon Stealer to simplify the process of obtaining authentication cookies, also known as access tokens," said Sean Gallagher, principal threat researcher, Sophos.

RubyGems, the official package manager for the Ruby programming language, has become the latest platform to mandate multi-factor authentication for popular package maintainers, following the footsteps of NPM and PyPI. To that end, owners of gems with over 180 million total downloads are mandated to turn on MFA effective August 15, 2022. What's more, gem maintainers who cross 165 million cumulative downloads are expected to receive reminders to turn on MFA until the download count touches the 180 million thresholds, at which point it will be made mandatory.

There are a variety of roadblocks associated with moving to passwordless authentication. Further, the app owners will often resist changing them to support passwordless flows.

VMware and experts alike are urging users to patch multiple products affected by a critical authentication bypass vulnerability that can allow an attacker to gain administrative access to a system as well as exploit other flaws. "Given the prevalence of attacks targeting VMware vulnerabilities and a forthcoming proof-of-concept, organizations need to make patching CVE-2022-31656 a priority," Claire Tillis, senior research engineer with Tenable's Security Response Team, said in an email to Threatpost.

Specops Software released new research finding cybersecurity weaknesses in business web apps including Shopify, Zendesk, Trello, and Stack Overflow. This Help Net Security video reveals how popular business web applications failed to implement critical password and authentication requirements to protect customers.

Researchers have discovered four "High impact" security risks in the identity and access management platform Okta, according to a Tuesday report. Platforms like Okta also offer features like password management and single sign-on, allowing users to more seamlessly login and move from one software environment to another.

AWS fixed three authentication bugs present in one line of code in its IAM Authenticator for Kubernetes, used by the cloud giant's popular managed Kubernetes service Amazon EKS, that could allow an attacker to escalate privileges within a Kubernetes cluster. Amazon updated all EKS clusters worldwide as of June 28, and the new version of the AWS IAM Authenticator for Kubernetes fixes the flaw.

A report released Tuesday by the Cyber Readiness Institute looks at the slow state of MFA adoption among SMBs. CRI surveyed 1,403 small business owners across the U.S., the U.K., New Zealand, Japan, India, Germany, Canada and Australia from May 2 to May 15. Among the respondents, 55% admitted that they're not very aware of MFA and its security benefits, while 54% said they haven't adopted MFA for their business.